CVE-2020-11989

CRITICAL

Apache Shiro < 1.5.3 - Authentication Bypass via Spring Dynamic Controllers

Title source: llm

Exploitation Summary

EIP tracks 3 public exploits for CVE-2020-11989. PoCs published by JAckLosingHeart, cuijiung, HYWZ36.

AI-analyzed exploit summary This repository contains a functional proof-of-concept for CVE-2020-11989, demonstrating an authentication bypass vulnerability in Apache Shiro. The code includes a Spring Boot application with Shiro configuration, a custom realm, and a login controller that can be used to test the vulnerability.

Description

Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.

Exploits (3)

github WORKING POC 5 stars

by JAckLosingHeart · javapoc

https://github.com/JAckLosingHeart/CVE-PoC-Collection/tree/main/shiro-CVE-2020-11989

View Code ZIP pw:eip

This repository contains a functional proof-of-concept for CVE-2020-11989, demonstrating an authentication bypass vulnerability in Apache Shiro. The code includes a Spring Boot application with Shiro configuration, a custom realm, and a login controller that can be used to test the vulnerability.

Classification

Working Poc 90%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Apache Shiro

No auth needed

Prerequisites: Apache Shiro configured with vulnerable settings

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec STUB

by cuijiung · poc

https://github.com/cuijiung/shiro-CVE-2020-11989

View Code ZIP pw:eip

This repository contains a basic Apache Shiro Spring Boot application with a custom realm for authentication, but it does not include any exploit code or demonstration of CVE-2020-11989. It appears to be a stub or educational example rather than a functional PoC.

Classification

Stub 90%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: Apache Shiro (version not specified)

Auth required

Prerequisites: Apache Shiro configured in a Spring Boot application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by HYWZ36 · poc

https://github.com/HYWZ36/HYWZ36-CVE-2020-11989-code

View Code ZIP pw:eip

This repository contains a proof-of-concept for CVE-2020-11989, demonstrating an authentication bypass vulnerability in Apache Shiro. The code includes a Spring Boot application with Shiro configuration, showcasing how improper configuration can lead to unauthorized access.

Classification

Working Poc 90%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Apache Shiro (versions affected by CVE-2020-11989)

No auth needed

Prerequisites: Access to the target application · Apache Shiro misconfiguration

MITRE ATT&CK